Skip to content
Snippets Groups Projects

Document automatic key management prerequisites

Merged Document automatic key management prerequisites
doc_autokeymgmt_prereq into master
Merged Libor Peltan requested to merge doc_autokeymgmt_prereq into master
Compare
and
2 files
+ 80
70
Compare changes
  • Side-by-side
  • Inline
Files
2
doc/configuration.rst
+ 77
70
@@ -399,16 +399,22 @@ Automatic DNSSEC signing
Knot DNS supports automatic DNSSEC signing of zones. The signing
can operate in two modes:
1. :ref:`Automatic key management <dnssec-automatic-zsk-management>`.
1. :ref:`Manual key management <dnssec-manual-key-management>`.
In this mode, the server maintains zone signatures (RRSIGs) only. The
signatures are kept up-to-date and signing keys are rolled according to
timing parameters assigned to the keys. The keys must be generated and
timing parameters must be assigned by the zone operator.
2. :ref:`Automatic key management <dnssec-automatic-zsk-management>`.
In this mode, the server maintains signing keys. New keys are generated
according to assigned policy and are rolled automatically in a safe manner.
No zone operator intervention is necessary.
2. :ref:`Manual key management <dnssec-manual-key-management>`.
In this mode, the server maintains zone signatures only. The signatures
are kept up-to-date and signing keys are rolled according to timing
parameters assigned to the keys. The keys must be generated and timing
parameters must be assigned by the zone operator.
For automatic DNSSEC signing, :ref:`policy<Policy section>` has to
be configured and assigned to the zone. The policy specifies how the zone
is signed (i.e. signing algorithm, key size, key lifetime, signature lifetime,
etc.). If no policy is specified or the ``default`` one is assigned, the
default signing parameters are used.
The DNSSEC signing process maintains some metadata which is stored in the
:abbr:`KASP (Key And Signature Policy)` database. This database is backed
@@ -421,24 +427,63 @@ by LMDB.
the database also contains private key material – don't set the permissions
too weak.
.. _dnssec-automatic-zsk-management:
.. _dnssec-manual-key-management:
Automatic ZSK management
------------------------
Manual key management
---------------------
For automatic ZSK management a signing :ref:`policy<Policy section>` has to
be configured and assigned to the zone. The policy specifies how the zone
is signed (i.e. signing algorithm, key size, key lifetime, signature lifetime,
etc.). If no policy is specified or the ``default`` one is assigned, the
default signing parameters are used.
For automatic DNSSEC signing with manual key management, the
:ref:`policy_manual` flag has to be set in the policy::
A minimal zone configuration may look as follows::
policy:
- id: manual
manual: on
zone:
- domain: myzone.test
dnssec-signing: on
dnssec-policy: manual
With a custom signing policy, the policy section will be added::
To generate signing keys, use the :doc:`keymgr<man_keymgr>` utility.
For example, we can use Single-Type Signing:
.. code-block:: console
$ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes
And reload the server. The zone will be signed.
To perform a manual rollover of a key, the timing parameters of the key need
to be set. Let's roll the key. Generate a new key, but do not activate
it yet:
.. code-block:: console
$ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes active=+1d
Take the key ID (or key tag) of the old key and disable it the same time
the new key gets activated:
.. code-block:: console
$ keymgr myzone.test. set <old_key_id> retire=+2d remove=+3d
Reload the server again. The new key will be published (i.e. the DNSKEY record
will be added into the zone). Remember to update the DS record in the
parent zone to include a reference to the new key. This must happen within one
day (in this case) including a delay required to propagate the new DS to
caches.
.. _dnssec-automatic-zsk-management:
Automatic ZSK management
------------------------
With :ref:`policy_manual` set to ``off`` in the assigned policy (which is the
default), the DNSSEC keys are generated automatically (if not already existing)
and also automatically rolled over according to their configured lifetimes.
The default :ref:`policy_zsk-lifetime` is finite whereas :ref:`policy_ksk-lifetime`
infinite, meaning no KSK roll-overs take place in the following example: ::
policy:
- id: custom_policy
@@ -457,8 +502,15 @@ After configuring the server, reload the changes:
$ knotc reload
The server will generate initial signing keys and sign the zone properly. Check
the server logs to see whether everything went well.
Check the server logs (regularly) to see whether everything went well.
.. NOTE::
Enabling automatic key management with already existing keys demands attention:
- Any key timers set at future timestamps are automatically cleared,
which prevents their interference with the automatic operation procedures.
- If the keys are in an inconsistent state (e.g. unexpected number of keys
or unexpected number of active keys) might lead to undefined behaviors
or at least a halt of key management.
.. _dnssec-automatic-ksk-management:
@@ -466,8 +518,10 @@ Automatic KSK management
------------------------
For automatic KSK management, first configure ZSK management like above, and use
additional options in :ref:`policy section <Policy section>`, mostly specifying
desired (finite) lifetime for KSK: ::
:ref:`submission section <Submission section>` and several options in
:ref:`policy section <Policy section>`, specifying desired (finite) lifetime for
KSK and semi-automatic DS submission (see also :ref:`DNSSEC Key states` and
:ref:`DNSSEC Key rollovers`) : ::
remote:
- id: parent_zone_server
@@ -496,56 +550,9 @@ and the user shall propagate them to the parent. The server periodically checks
DS at the parent zone and when positive, finishes the rollover.
.. NOTE::
As the key timestamp semantics differ between the automatic and manual key
management, all key timestamps set in the future, either manually or during
a key import, are ignorred (cleared).
.. _dnssec-manual-key-management:
Manual key management
---------------------
For automatic DNSSEC signing with manual key management, a signing policy
with manual key management flag has to be set::
policy:
- id: manual
manual: on
zone:
- domain: myzone.test
dnssec-signing: on
dnssec-policy: manual
To generate signing keys, use the :doc:`keymgr<man_keymgr>` utility.
For example, we can use Single-Type Signing:
.. code-block:: console
$ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes
And reload the server. The zone will be signed.
To perform a manual rollover of a key, the timing parameters of the key need
to be set. Let's roll the key. Generate a new key, but do not activate
it yet:
.. code-block:: console
$ keymgr myzone.test. generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes active=+1d
Take the key ID (or key tag) of the old key and disable it the same time
the new key gets activated:
.. code-block:: console
$ keymgr myzone.test. set <old_key_id> retire=+2d remove=+3d
Reload the server again. The new key will be published (i.e. the DNSKEY record
will be added into the zone). Remember to update the DS record in the
parent zone to include a reference to the new key. This must happen within one
day (in this case) including a delay required to propagate the new DS to
caches.
When the initial keys are automatically generated for the first time, the KSK
is actually in this ``ready`` state, so that the initial parent DS submission
can take place automatically.
.. _dnssec-signing: